Wednesday, 30 May 2012

Flame: msglu32.ocx, Component That Can Track Location

This particular DLL component of the Flame threat is designed to locate various files in the system, read their contents and populate the SQL database with the file contents and characteristics. In addition, this file is capable of collecting geographical identification metadata that may be present in the files it inspects.

The information about located files can then be stored in the database. That data is added and queried with the SQL commands, such as:

INSERT INTO Media (Type, MediumDescription) VALUES ('%s', '%s')

SELECT State FROM Pst_States WHERE FileName=? AND Size=%u AND LastModification=%I64d

The module contains a large table that consists of 4,173 Postscript glyph names, such as 'alefhamzabelowfinalarabic' or 'alefqamatshebrew'. This table is used to convert Postscript glyph names into Unicode codes - presumably to be able to parse the content of Adobe PDF documents written in Unicode Character Entities, such as Hebrew or Arabic.

The DLL is aware of the presence of the security product by inspecting the registry entries:

HKLM\SOFTWARE\KasperskyLab\AVP6

HKLM\SOFTWARE\KasperskyLab\protected\AVP7

If the files it inspects include geographical identification metadata (geotagging), it will extract the following data:

GPS Latitude

GPS Latitude Ref

GPS Longitude

GPS Longitude Ref

GPS Altitude

GPS Altitude Ref

This geotagging data may be present within the images, as shown below:

Some cameras use automatic picture geotagging with a built-in GPS receiver (such as Panasonic Lumix DMC-TZ10, Sony Alpha 55V, or Canon PowerShot SX230/SX260). Many mobile phones use either a built-in GPS receiver or a Wi-Fi positioning (assisted GPS) to embed geotagging in the photos by default.

Retrieving the geotagging data allows this Flame component to find GPS coordinates of the location where the pictures were taken, or with some statistical probability, where the compromised system is (has been) located: